[syslog-ng]Some device doesn't write to file

Santa Lau syslog-ng@lists.balabit.hu
Mon, 27 Oct 2003 16:54:51 +0800 

----- Original Message ----- 
From: "Balazs Scheidler" <bazsi@balabit.hu>
To: <syslog-ng@lists.balabit.hu>
Sent: Monday, October 27, 2003 4:41 PM
Subject: Re: [syslog-ng]Some device doesn't write to file


> On Mon, Oct 27, 2003 at 04:36:21PM +0800, Santa Lau wrote:
> > Hi,
> >
> > I just upgrade the hardware and software of the syslog-ng server to
> > 1.60rc4 from 1.5 to log about 30 firewalls syslog. After upgarde, I did
> > find that nearly half of the firewalls log doesn't write to the file. I
> > did check with tcpdump and it did receive the tons of logs but did't log
> > into the file. The iptables/ipchains has all been disabled.  Is there
any
> > way to identify the source of problem. Thanks for your help.
>
> I think you should attach strace to the syslog-ng process and check
whether
> it really receives log messages (you should see recvfrom() lines for each
> message received), it might also be possible that syslog-ng blocks on DNS
> for example.
>
> -- 
> Bazsi
> PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C
8EB1
> _______________________________________________
> syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
>
>

Thanks for your tips. I use strace to trace the network activity(strace -e
network syslog-ng -F). I only found the IP which has logs.  It is different
from the result of tcpdump.

B. Regards,
Santa Lau


Result from strace:

.85.129.136")}}, [16]) = 237
recvfrom(3, "<144>HK1CUSTFW01: NetScreen devi"..., 2048, 0,
{sin_family=AF_INET, sin_port=htons(2053),
sin_addr=inet_addr("202.85.129.136")}}, [16]) = 238
recvfrom(3, "<180>Ocean_shores: NetScreen dev"..., 2048, 0,
{sin_family=AF_INET, sin_port=htons(2053),
sin_addr=inet_addr("202.82.19.35")}}, [16]) = 232
recvfrom(3, "<180>Ocean_shores: NetScreen dev"..., 2048, 0,
{sin_family=AF_INET, sin_port=htons(2053),
sin_addr=inet_addr("202.82.19.35")}}, [16]) = 232
recvfrom(3, "<180>Ocean_shores: NetScreen dev"..., 2048, 0,
{sin_family=AF_INET, sin_port=htons(2053),
sin_addr=inet_addr("202.82.19.35")}}, [16]) = 232
recvfrom(3, "<180>Ocean_shores: NetScreen dev"..., 2048, 0,
{sin_family=AF_INET, sin_port=htons(2053),
sin_addr=inet_addr("202.82.19.35")}}, [16]) = 232


Result from tcpdump:

16:54:09.842696 202.85.129.145.syslog > 202.85.170.92.syslog:  udp 158 (ttl
250, id 45138, len 186)
16:54:09.843394 202.85.171.101.syslog > 202.85.170.92.syslog:  udp 136 (ttl
253, id 28061, len 164)
16:54:09.850701 202.85.129.145.syslog > 202.85.170.92.syslog:  udp 158 (ttl
250, id 45141, len 186)
16:54:09.862894 202.85.129.145.syslog > 202.85.170.92.syslog:  udp 255 (ttl
250, id 45144, len 283)
16:54:09.864625 202.85.129.145.syslog > 202.85.170.92.syslog:  udp 189 (ttl
250, id 45147, len 217)
16:54:09.869982 202.85.129.145.syslog > 202.85.170.92.syslog:  udp 255 (ttl
250, id 45150, len 283)
16:54:09.878462 203.194.198.221.2053 > 202.85.170.92.syslog:  udp 300 (ttl
59, id 40259, len 328)
16:54:09.880661 203.194.198.221.2053 > 202.85.170.92.syslog:  udp 300 (ttl
59, id 40260, len 328)
16:54:09.889413 202.85.129.145.syslog > 202.85.170.92.syslog:  udp 255 (ttl
250, id 45153, len 283)
16:54:09.895356 202.85.129.143.syslog > 202.85.170.92.syslog:  udp 155 (ttl
250, id 13539, len 183)
16:54:09.908718 202.85.129.145.syslog > 202.85.170.92.syslog:  udp 255 (ttl
250, id 45156, len 283)
16:54:09.920173 202.85.129.145.syslog > 202.85.170.92.syslog:  udp 187 (ttl
250, id 45159, len 215)
16:54:09.925052 202.85.129.143.syslog > 202.85.170.92.syslog:  udp 155 (ttl
250, id 13542, len 183)
16:54:09.926965 202.85.129.145.syslog > 202.85.170.92.syslog:  udp 158 (ttl
250, id 45162, len 186)
16:54:09.928272 202.85.129.143.syslog > 202.85.170.92.syslog:  udp 155 (ttl
250, id 13545, len 183)